跨多个域的单点登录

我们的公司有多个域名设置了一个网站托管在每个域名。此时,每个域都有自己的身份验证,这是通过 cookie 完成的。

当某人登录到一个域需要访问另一个域的任何东西时,用户需要使用位于另一个域的另一个网站上的不同凭证再次登录。

我正在考虑转向单点登录(SSO) ,这样就可以消除这种麻烦。我希望了解关于如何实现这一目标的任何想法,因为我在这方面没有任何经验。

谢谢。

编辑: 该网站是互联网(外部)和内部网(内部使用的公司)网站的组合。

95096 次浏览
小开

If you use Active Directory you could have each app use AD for authentication, login could then be seamless.

Otherwise, if the applications can talk to each other behind the scenes, you could use sessionids and have one app handling id generation serving all of your other applications.

小开

How different are the host names?

These hosts can share cookies:

  • mail.xyz.example
  • www.xyz.example
  • logon.xyz.example

But these cannot:

  • abc.example
  • xyz.example
  • www.tre.example

In the former case you can bang out a cookie-based solution. Think GUID and a database session table.

小开

The SSO solution that I've implemented here works as follows:

  1. There is a master domain, login.mydomain.example with the script master_login.php that manages the logins.
  2. Each client domain has the script client_login.php
  3. All the domains have a shared user session database.
  4. When the client domain requires the user to be logged in, it redirects to the master domain (login.mydomain.example/master_login.php). If the user has not signed in to the master it requests authentication from the user (ie. display login page). After the user is authenticated it creates a session in a database. If the user is already authenticated it looks up their session id in the database.
  5. The master domain returns to the client domain (client.mydomain.example/client_login.php) passing the session id.
  6. The client domain creates a cookie storing the session id from the master. The client can find out the logged in user by querying the shared database using the session id.

Notes:

  • The session id is a unique global identifier generated with algorithm from RFC 4122
  • The master_login.php will only redirect to domains in its whitelist
  • The master and clients can be in different top level domains. Eg. client1.abc.example, client2.xyz.example, login.mydomain.example
小开

Don't re-invent the wheel. There are a number of open source cross-domain SSO packages such as JOSSO, OpenSSO, CAS, Shibboleth and others. If you're using Microsoft Technology throughout (IIS, AD), you can use microsoft federation (ADFS) instead.


提交答案